Chapter 1: Networking Security Concepts

I. Foundation Topics
II. Understanding Network and Information Security Basics
1. The lack of security has financial implications must have security

2. Network Security Objectives

1. The network has different meanings depending on who you are. Senior management
will see the network as a business tool, users will see it as a tool to get their job done
and possibly recreation. Network engineers see it as the center of the universe
2. Users do not appreciate network security and represent a security risk training them
should be part of a comprehensive security policy

3. Confidentiality, Integrity, and Availability

1. Three basic network security objectives
a. Confidentiality Data in motion and stored data. Only allow or authorize certain
people to gain access to the confidential data. Data in motion is protected by
encryption and/or passing the data over a separate physical network.
b. Integrity Changes to data are only done by authorized individuals. Corruption
of data is a failure to maintain data integrity
c. Availability Availability is systems and data. Failure of availability is due to a
network failure or possibly a DoS attack. Loss of availability usually relates to loss
in revenue.

4. Cost-Benefit Analysis of Security

5. f
Table 1-2 Security Terms
Vocabulary Term
Explanation
Asset

An asset is an item that is to be protected and can include property, people, and
information/data that have value to the company. This includes intangible items
such as proprietary information or trade secrets and the reputation of the
company. The data could include company records, client information,
proprietary software, and so on.

Vulnerability

A vulnerability is an exploitable weakness of some type. That exploitation might

result from a malicious attack, or it might be accidentally triggered because of a
failure or weakness in the policy, implementation, or software running on the
network.

Threat

This is what you are protecting against. A threat is anything that attempts to gain
unauthorized access to, compromise, destroy, or damage an asset. Threats are
often realized via an attack or exploit that takes advantage of an existing
vulnerability. Threats today come in many varsities and spread more rapidly
than ever before. Threats can also morph and be modified over time, and so you
must be ever diligent to keep up with them.

Risk

Risk is the potential for unauthorized access to, compromise, destruction, or

damage to an asset. If a threat exists, but proper countermeasures and
protections are in place (it is your goal to provide this protection), the potential
for the threat is to be successful is reduced (thus reducing the overall risk).

Countermeasure

A countermeasure is a device or process (a safeguard) that is implemented to

counteract a potential threat, which thus reduces risk.

6. Classifying Assets
1. Classifying assets is important in order to be able to apply the appropriate security and
treatment of that asset. For example, you would classify a type of data traveling over a
VPN as top secret and therefore encrypt that data as opposed to unclassified insecure
data.
Table 1-3 Asset Classifications
Governmental classifications

1.
2.
3.
4.
5.

Top Secret
Secret
Confidential
Sensitive but unclassified (SBU)
Unclassified

Private sector classifications

1.
2.
3.
4.

Confidential
Private
Sensitive
Public

Classification criteria

1.
2.
3.
4.

Useful lifetime
Replacement cost
Age
Value

Classification roles

1. Owner (the group ultimately responsible for

the data, usually senior management of a
company)
2. Custodian (the group responsible for
implementing the policy as dictated by the
owner)
3. User (those who access the data and abide
by the rules of acceptable use for the data)

7. Classifying Vulnerabilities
1. One must discover and classify vulnerabilities in order to put in place policy and
technology to mitigate them
a. Policy flaws
b. Design errors
c. Protocol weaknesses
d. Misconfiguration
e. Software vulnerabilities
f. Human factors
g. Malicious software
h. Hardware vulnerabilities
i. Physical access to network resources
2. Databases that categorize threats in the public domain
a. Common Vulnerabilities and Exposures (CVE)
b. National Vulnerability Database (NVD)

8. Classifying Countermeasures
1. Common control methods used to implement countermeasures include the following
a. Administrative These consist of written policies, procedures, guidelines, and
standards. An example would be a written acceptable use policy (AUP), agreed to
by each user on the network. Another example is a change control process that
needs to be followed when making changes to the network. Administrative
controls could involve items such as background checks for users, as well.

b.

Physical Physical controls are exactly what they sound like, physical security for
the network servers, equipment, and infrastructure. An example is providing a
locked door between users and the wiring closet on any floor (where the switches
and other gear exists). Another example of a physical control is a redundant system
(for instance, an uninterruptible power supply).
c. Logical Logical controls include passwords, firewalls, intrusion prevention
systems, access lists, VPN tunnels, and so on. Logical controls are often referred to
as technical controls.
2. Now all controls are created equal, but when they all work together you can put in
place a successful strategy that prevents, detects, corrects, and recovers all while acting
as a deterrent to a threat.

9. What Do We Do with the Risk?

1. Remove the risk if a web server is at risk, take the web server offline. This usually
isn't a great way of dealing with risk as the web server is probably necessary for
business.
2. Transfer the risk Hire someone else to host the web server and they take all
responsibility of securing the web server and keeping it up.
a. The Hosting server secures the web server in the same way as we learn in this book
a. Countermeasures
1. Patches on the web server
2. Firewalls and IPSs
3. Other safeguards
4. If risk is financial, you could also buy insurance
3. Host the web server yourself and assume all risk.

III. Recognizing Current Network Threats

1. Potential Attackers

1.

2.

3.

4.

a. Terrorists
b. Criminals
c. Government agencies
d. Nation-states
e. Hackers
f. Disgruntled employees
g. Competitors
h. Anyone with access to a computing device (sadly)
The above are generic categories of types of attackers; these types of attackers are
usually refereed to the following:
a. Hacker/Cracker (criminal hacker)
b. script-kiddie
c. hactivists
d. etc...
A security practitioner must understand the enemy. Motivations and interests of the
people involved in breaking all those things you seek to protect.
a. Financial gain
b. Notoriety from attacking a well-known company or brand
c. Some throw their net wide and hurt companies both intended and unintended
Back in the old days
a. Basic intrusions
a. War dialing etc...
b. Viruses were fairly new but people sought notoriety as the Internet was in its
infancy stage
c. 1990s and early 2000s increase in number of viruses and malware; it was about
fame
Now it's more about actual theft of information and damage with financial
repercussions. Attackers may also be motivated by government or industrial espionage

2. Attack Methods
1. Most attackers try to keep in the shadows using a variety of techniques when
attempting to compromise a network
Table 1-4 Attack Methods
Action
Description
Reconnaissanc This is the discovery process used to find information about the network. It could
e
include scans of the network to find out which IP addresses respond, and further scans
to see which ports are open. This is usually the first step taken, to discover what is on
the network and to determine potential vulnerabilities.
Social
engineering

This is a tough one because it leverages our weakest (very likely) vulnerability in a
secure network: the user. If the attacker can get the user to reveal information, it is
much easier for the attacker than using some other method of reconnaissance. This
could be done through email or misdirection of web pages, which results in the user
clicking something that leads to the attacker gaining information. Social engineering
can also be done in person or over the phone.
Phishing presents a link that looks like a valid trusted resource to a user. When the user
clicks it, the user is prompted to disclose confidential information such as
usernames/passwords.
Pharming is used to direct a customer's URL from a valid resource to a malicious one
that could be made to appear as the valid site to the user. From there, an attempt is
made to extract confidential information from the user

Privilege
escalation

This is the process of taking some level of access (whether authorized or not) and
achieving an even greater level of access. An example is an attacker who gains user
mode access to a router and then uses a brute-force attack against the router,
determining what the enable secret is for privilege level 15 access

Back doors

When attackers gain access to a system, they usually want future access, as well, and
they want it to be easy. A backdoor application can be installed to either allow future
access or to collect information to use in further attacks.
Many back doors are installed by users clicking something without realizing the link
they click or the file they open is a threat. Back doors can also be implemented as a
result of a virus or a worm (often referred to as malware).

3. Attack Vectors
1. Attacks are launched both from the outside of a company and from within. It could be
a user who is just curious or perhaps the users computer has a backdoor on it. Your
security policy must not take anything for granted and protect the network from both
attack vectors.
2. A security policy that takes nothing for granted
a. 802.1x and Cisco ACS
b. Network Admission Control (NAC) or an Identity Service Engine (ISE)
c. Switch port security

4. Man-in-the-Middle Attacks
1. Main purpose is reconnaissance (eavesdropping). Sits in between two devices
communicating for reconnaissance or to manipulate the data. L2 or L3.
a. L2 ARP Poisoning: The attacker poisons the ARP table making the host think the
attacker is the default gateway, sending traffic to the attacker instead of the real
default gateway. In order to remain transparent, the attacker will forward the traffic
to the default gateway. Otherwise the host will think there is a network problem
and will not continue to send traffic.
a. Use DAI to mitigate
b. L2 STP Add a switch to the topology with a higher priority making it the root
switch seeing all traffic that must pass through the root switch.
a. Use root guard and other techniques to mitigate this
c. L2 CAM table - Another attack not discussed yet in the book is flooding the CAM
table with unique MAC addresses until the CAM memory runs out and all
subsequent traffic is broadcast so the attacker can use a packet analyzer to capture
all the traffic.
a. Use Port Security to mitigate this
d. L3 Rogue router installed and metrics offset to make the routing domain think
that the rogue router has the best routes or best paths to reach any particular
destination or prefix.
a. Mitigate this by using routing protocol authentication and also disabling
advertisements out interfaces that shouldn't have routing protocol neighbors
(passive-interface configuration).
e. Encryption and VPN Never use clear text management protocols; use SSH
and/or HTTPS, SNMPv3 etc... Also use VPN/Encrypted traffic for sensitive data.

5. Other Miscellaneous Attack Methods

1. There's no standard for groups of attackers. Some attacks use multiple methods; see
some additional attack methods below
Table 1-5 Additional Attack Methods
Method
Description
Covert channel

This method uses programs or communications in unintended ways. For example, if

the security policy says that web traffic is allowed but peer-to-peer messaging is not,
users can attempt to tunnel their peer-to-peer traffic inside of HTTP traffic. An
attacker may use a similar technique to hide traffic by tunneling it inside of some other
allowed protocol to avoid detection. An example of this is a backdoor application
collecting keystroke information from the workstation and th en slowly sending it out
disguised as ICMP. This is a covert channel.
A covert channel is the legitimate use of a protocol, such as a user with a web browser
using HTTP to access a web server.

Trust
exploitation

If the firewall has three interfaces, and the outside interface allows all traffic to the
demilitarized zone (DMZ), but not to the inside network, and the DMZ allows access
to the inside network from the DMZ, an attacker could leverage that by gaining access
to the DMZ and using that location to launch his attacks from there to the inside
network. Other trust models, if incorrectly configured, may allow unintentional access
to an attacker including active directory and NFS (network file system in UNIX).

Password
attacks

These could be brute force, where the attacker's system attempts thousands of possible
passwords looking for the right match. This is best protected against by specifying
limits on how many unsuccessful authentication attempts may occur within a specified
time frame. Password attacks can also be done through malware, man-in-the-middle
attacks using packet sniffers, or by using key loggers

Botnet

A botnet is a collection of infected computers that are ready to take instructions from
the attacker. For example, if the attacker has the malicious backdoor software installed
on 10,000 computers, from his central location he could instruct those computers to all
send TCP SYN requests or ICMP echo requests repeatedly to the same destination. To
add insult to injury, he could also spoof the source IP address of the request so that
reply traffic is sent to yet another victim. A covert channel is generally used by the
attacker to manage the individual devices that make up the botnet.

DoS and DDoS

Denial-of-service attack and distributed denial-of-service attack. An example is using

a botnet to attack a target system. If an attack is launched from a single device with
the intent to cause damage to an asset, the attack could be considered a DoS attempt,
as opposed to a DDoS. Both types of attacks want the same result, and it just depends
on how many source machines are used in the attack as to whether it is called a DoS or
DDoS.

IV. Applying Fundamental Security Principles to Network Design

1. Guidelines
1. This section examines the holistic approach to improve the security posture of your
network before, during and after your network implementation.
2. You want some basic principles and guidelines in place in the early stages of designing
and implementing a network; the following describes such key guidelines.
Table 1-6 Guidelines for Secure Network Architecture
Guideline
Explanation
Rule of least
privilege

This rule states that minimal access is only provided to the required network
resources, and not any more than that. An example of this is an access list applied
to an interface for filtering that says deny all. Before this, specific entries could be
added allowing only the bare minimum of required protocols, and only then
between the correct source and destination addresses.

Defense in depth

This concept suggests that you have security implemented on nearly every point of
your network. An example is filtering at a perimeter router, filtering again at a
firewall, using IPSs to analyze traffic before it reaches your servers, and using
host-based security precautions at the servers as well. This is defense in depth.
Using authentication and authorization mechanisms could also be part of a
defense-in-depth approach.
The concept behind defense in depth is that if a single system fails, it does not
mean that security has completely been removed from the equation.

Separation of duties By placing specific individuals into specific roles, there can be checks and
balances in place regarding the implementation of the security policy. Rotating
individuals into different roles periodically will also assist in verifying that
vulnerabilities are being addressed, because a person who moves into a new role
will be required to review the policies in place.
Auditing

This refers to accounting and keeping records about what is occurring on the
network. Most of this can be automated through the features of authentication,
authorization and accounting (AAA) (covered later in this book). When events
happen on the network, the records of those events can be sent to an accounting
server. When the separation-of-duties approach is used, those who are making
changes on the network should not have direct access to modify or delete the
accounting records that are kept on the accounting server.

2. How it All Fits Together

V. Do I Know This Already? Quiz

1. Which security term refers to a person, property, property, or data of value to a
company?
a. Risk
b. Asset
c. Threat prevention
d. Mitigation technique
2. Which asset characteristic refers to risk that results from a threat and lack of a
countermeasure?
a. High Availability
b. Liability
c. Threat prevention
d. Vulnerability
3. Which three items are the primary network security objectives for a company?
a. Revenue generation
b. Confidentiality
c. Integrity
d. Availability
4. Which data classification label is usually not found in a government organization?
a. Unclassified
b. Classified but not important
c. Sensitive but unclassified
d. For official use only
e. Secret
5. Which of the following represents a physical control?
a. Change control policy
b. Background checks
c. Electronic lock
d. Access lists
6. What is the primary motivation for most attacks against networks today?
a. Political
b. Financial
c. Theological
d. Curiosity
7. Which type of an attack involves lying about the source address of a frame or packet?
a. Man-in-the-middle attack
b. Denial-of-service attack
c. Reconnaissance attack
d. Spoofing attack
8. Which two approaches to security provide the most secure results on day one?
a. Role based
b. Defense in depth
c. Authentication
d. Least privilege
9. Which of the following might you find in a network that is based on a defense-in-depth
security implementation? (Choose all that apply.)
a. Firewall
b. IPS
c. Access Lists
d. Current patches on servers

10. In relation to production networks, which of the following are viable options when
dealing with risk? (Choose all that apply.)
a. Ignore it
b. Transfer it
c. Mitigate it
d. Remove it

VI. Review All the Key Topics

Table 1-7 Key Topics
Key
Description
Topic
Element
Text

Page
Number

Confidentiality, integrity, and availability (CIA; the 3 main security objectives) 8

Confidentiality refers to both allowing only authorized parties access to the data in
question as well as encrypting the data and/or transporting the data over a secured
network that is separate from the network that transports unclassified data.
Integrity refers to keeping data corruption free and changes that are made to it is
done only by authorized parties. Availability refers to keeping data available to
authorized parties by keeping the network up as well as servers and/or other
hardware.

Table 1-2 Security terms -

10

Table 1-3 Asset classifications -

11

Text

Classifying countermeasures -

12

Text

Man-in-the-middle attacks -

15

Table 1-5 Additional attack methods -

16

Table 1-6 Guidelines for secure network architecture -

18

VII. Complete the Tables and Lists from Memory

Table 1-2 Security Terms
Vocabulary Term
Explanation
Asset

An asset is an item that is to be protected and can include property, people, and
information/data that have value to the company. This includes intangible
items such as proprietary information or trade secrets and the reputation of the
company. The data could include company records, client information,
proprietary software, and so on

Vulnerability

A vulnerability is an exploitable weakness of some type. That exploitation

might result from a malicious attack, or it might be accidentally triggered
because of a failure or weakness in the policy, implementation, or software
running on the network.

Threat

This is what you are protecting against. A threat is anything that attempts to
gain unauthorized access to, compromise, destroy, or damage an asset. Threats
are often realized via an attack or exploit that takes advantage of an existing
vulnerability. Threats today come in many varieties and spread more rapidly
than ever before. Threats can also morph and be modified over time, and so
you must be ever diligent to keep up with them.

Risk

Risk is the potential for unauthorized access to, compromise, destruction, or

damage to an asset. If a threat exists, but proper countermeasures and

protections are in place (it is your goal to provide this protection), the potential
for the threat to be successful is reduced (thus reducing the overall risk).
Countermeasure

A countermeasure is a device or process (a safeguard) that is implemented to

counteract a potential threat, which thus reduces risk.

Covert channel

This method uses programs or communications in unintended ways. For

example, if the security policy says that web traffic is allowed but peer-to-peer
messaging is not, users can attempt to tunnel their peer-to-peer traffic inside of
HTTP traffic. An attacker may use a similar technique to hide traffic by
tunneling it inside of some other allowed protocol to avoid detection. An
example of this is a backdoor application collecting keystroke information
from the workstation and then slowly sending it out disguised as Internet
Control Message Protocol (ICMP). This is a covert channel. An overt channel
is the legitimate use of a protocol, such as a user with a web browser using
HTTP to access a web server.

Trust exploitation

If the firewall has three interfaces, and the outside interface allows all traffic to
the demilitarized zone (DMZ), but not to the inside network, and the DMZ
allows access to the inside network from the DMZ, an attacker could leverage
that by gaining access to the DMZ and using that location to launch his attacks
from there to the inside network. Other trust models, if incorrectly configured,
may allow unintentional access to an attacker including active directory and
NFS (network file system in UNIX).

Password attacks

These could be brute force, where the attackers system attempts thousands of
possible passwords looking for the right match. This is best protected against
by specifying limits on how many unsuccessful authentication attempts may
occur within a specified time frame. Password attacks can also be done
through malware, man-in-the-middle attacks using packet sniffers, or by using
key loggers.

Botnet

A botnet is a collection of infected computers that are ready to take instructions

from the attacker. For example, if the attacker has the malicious backdoor
software installed on 10,000 computers, from his central location he could
instruct those computers to all send TCP SYN requests or ICMP echo requests
repeatedly to the same destination. To add insult to injury, he could also spoof
the source IP address of the request so that reply traffic is sent to yet another
victim. A covert channel is generally used by the attacker to manage the
individual devices that make up the botnet.

Dos and DDoS

Denial-of-service attack and distributed denial-of-service attack. An example is

using a botnet to attack a target system. If an attack is launched from a single
device with the intent to cause damage to an asset, the attack could be
considered a DoS attempt, as opposed to a DDoS. Both types of attacks want
the same result, and it just depends on how many source machines are used in
the attack as to whether it is called a DoS or DDoS.

VIII. Define Key Terms

1.
2.
3.
4.

asset vulnerability threat risk -